Data binding does not filter HTTP headers for constructor binding

[jannikFuellgrafEnvite]

Summary

Since upgrading to Spring Boot 3.4.1, we have observed unexpected behavior where HTTP headers with names matching @JsonProperty annotations on POJO fields are being automatically deserialized into those fields. This behavior was not present in earlier versions.

---

Observations

1. Affected Behavior:

   • An HTTP request with a priority header results in deserialization into the TaskQueryFilterParameter.priorityIn field, which has the annotation @JsonProperty("priority").
   • Similarly, a planned header is deserialized into the TaskQueryFilterParameter.plannedWithin field, annotated with @JsonProperty("planned").

2. Reproducibility:

   • This behavior occurs whenever request headers match the names used in @JsonProperty annotations on request object fields.

3. Impact:

   • This behavior can lead to unintended data mapping, affecting applications that rely on these headers for different purposes.

4. Analysis Results:

   • After reviewing the dependencies and updates introduced with Spring Boot 3.4.1, we were unable to identify the specific cause (e.g., a library or code change).
   • It is unclear whether this is an intentional feature or a regression.

Expected Behavior

It is unclear whether HTTP headers with names matching @JsonProperty annotations should be automatically deserialized into POJO fields. If this is the intended behavior, guidance on how to configure or disable it would be helpful.

Actual Behavior

HTTP headers with names matching @JsonProperty annotations are deserialized into the respective POJO fields, even without explicit configuration.

---

Questions

1. Is this behavior an intentional change in Spring Boot 3.4.1?
2. If so, what is its purpose, and how can it be disabled if undesired?
3. If this is a bug, is there a planned fix or workaround?

---

Thank you for your time and assistance! 😊

[bclozel]

This is a new feature introduced in Spring Framework 6.2.

We have refined this behavior in 6.2.2. The priority header should not be bound anymore. As for the "planned" header, I've never seen this header, is this something common? In any case, you can get more control over the header binding with the following: #34182 (comment)

This week's Spring Boot release will use this version, but you can already upgrade in your build with the "spring-framework.version" property.

[jannikFuellgrafEnvite]

Thank you for the quick and detailed response! 😊

Regarding the “planned” header, it is not a standard header but rather a custom one we introduced specifically to test and confirm the behavior alongside the “priority” header. Its sole purpose was to validate that headers matching @JsonProperty annotations are consistently being bound, regardless of whether they are commonly used or not.

[bclozel]

Alright thanks for the feedback.
I'll close this issue now, since the situation is already resolved for "priority" and that apps can opt-out of this feature for all other headers as well.

Thanks for reaching out!

[jannikFuellgrafEnvite]

Dear @bclozel,

Unfortunately, the issue has not been resolved yet in our setup. I am attaching the error message below, which indicates that the priority header is still being applied.
Is there a specific configuration that needs to be considered to achieve the expected behavior?

Since I do not have the necessary permissions to reopen the ticket, I hope this comment reaches you and that we can still solve the issue.

org.springframework.web.bind.MethodArgumentNotValidException: Validation failed for argument [1] in public org.springframework.http.ResponseEntity<io.kadai.task.rest.models.TaskSummaryPagedRepresentationModel> io.kadai.task.rest.TaskController.getTasks(jakarta.servlet.http.HttpServletRequest,io.kadai.task.rest.TaskQueryFilterParameter,io.kadai.task.rest.TaskQueryFilterCustomFields,io.kadai.task.rest.TaskQueryFilterCustomIntFields,io.kadai.task.rest.TaskQueryGroupByParameter,io.kadai.task.rest.TaskController$TaskQuerySortParameter,io.kadai.common.rest.QueryPagingParameter<io.kadai.task.api.models.TaskSummary, io.kadai.task.api.TaskQuery>): [Field error in object 'taskQueryFilterParameter' on field 'priority': rejected value [u=3, i]; codes [typeMismatch.taskQueryFilterParameter.priority,typeMismatch.priority,typeMismatch.[I,typeMismatch]; arguments [org.springframework.context.support.DefaultMessageSourceResolvable: codes [taskQueryFilterParameter.priority,priority]; arguments []; default message [priority]]; default message [Failed to convert value of type 'java.lang.String' to required type 'int[]'; For input string: "u=3,i"]]

[bclozel]

Can you point me to something I can run in order to reproduce the issue?